Proxy causing www.google.com to report as having an invalid security certificate

Question

I tried to use google today (using google chrome), and when i search, it shows me the search page, but the top header says that im not signed in, although I am .. tried to sign in again, and same thing happened.

So I tried to use Firefox, whenever I try to access to https://www.google.com/ it gives me www.google.com uses an invalid security certificate..

I tried with Microsoft Edge and it worked fine.

I even disabled the Anti-Virus (Avira), and cleaned all of my browsers history, even used CCleaner to clean the registry and other applications.

Same thing, is there a way like to delete all of my certificates?

I'm using Windows 10.

UPDATE:

It seems that this is a proxy problem,

that script is downloading a code to change my proxy settings:

function FindProxyForURL(url, host) {

a = /^https?:\/\/www\.google\.[a-zA-Z.]+\/?$/;if (a.test(url)) { return "PROXY 93.190.137.240:8484" }

b = /^https?:\/\/www\.google\.[a-zA-Z.]+\/\?(.*)$/;if (b.test(url)) { return "PROXY 93.190.137.240:8484" }

c = /^https?:\/\/www\.google\.[a-zA-Z.]+\/search\?(.*)$/;if (c.test(url)) { return "PROXY 93.190.137.240:8484" }

d = /^https?:\/\/www\.google\.[a-zA-Z.]+\/cse\?(.*)$/;if (d.test(url)) { return "PROXY 93.190.137.240:8484" }
e = /^https?:\/\/www\.google\.[a-zA-Z.]+\/s\?(.*)$/;if (e.test(url)) { return "PROXY 93.190.137.240:8484" }
f = /^https?:\/\/cse\.google\.[a-zA-Z.]+\/cse\?(.*)$/;if (f.test(url)) { return "PROXY 93.190.137.240:8484" }


return "DIRECT";

}

But I couldn't disable that option.

Answer 1

I also had browser hijacking issue and had proxy setting updated by a background process and on top of that my security center was disabled along with firewall.

Following is based on windows 10 but it should work on 8.1 also. Also, I removed machine from any network (including internet) before performing these steps. But these may also work without doing the same.

Here is what I did to get rid of the issue:

1. Open Task Manager and kill following processes (mind the sequence and kill any process that you see listed below)

   • SkypeUpdateEx.exe
   • winsecurity.exe
   • syshostctl.exe
   • sysnetwk.exe.exe

2. Delete following folders. Note that 'programdata' folder is hidden so you may want to type the location in address bar.

   • C:\ProgramData\Microsoft\Network\dsq. Note that any other folder besides 'Connections' and 'Downloader' is suspicious.
   • C:\ProgramData\Windows Security. This folder is not related to windows
   • C:\Program Files (x86)\SkypeUpdateEx.exe. No, this is not related to skype

3. Check and update etc\host file

   • Run notepad in 'administrator' mode
   • Open 'c:\Windows\System32\drivers\etc\host'. 'host' is name of the file
   • Remove any line that has URLs mentioned against 127.0.0.1
   • Save the file

4. Correct proxy settings

   • Go to settings->network & internet->proxy
   • disable proxy
   • Open registry editor (type regedit from command prompt or run or windows search to open)
   • Go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings and delete key that has 127.0.0.1 entry. Apologies as I don't remember the key name but this information should be sufficient.

5. Fix Security center

   • Go to https://support.microsoft.com/en-in/kb/2519899
   • Scroll down to 'Here's an easy fix' and download the fix for windows 8. Yes, it will work for 10 also.
   • Run downloaded file on affected machine. This should fix the problem and enable security center again.

Hope this helps.

Answer 2

Update: The following tool https://www.malwarebytes.org/antirootkit/ sucessfully resolved the proxy hijack issue. The following are log file listing infected registry entries.

Log file:

Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS{0353F2CF-07EC-4399-A07F-F1FF7685132F}|Path --> [Hijack.AutoConfigURL.PrxySvrRST] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS{0353F2CF-07EC-4399-A07F-F1FF7685132F} --> [Hijack.AutoConfigURL.PrxySvrRST] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\InstallShield® Update Service Scheduler --> [Hijack.AutoConfigURL.PrxySvrRST] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigURL --> [Hijack.AutoConfigURL.PrxySvrRST] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|AutoConfigURL --> [Hijack.AutoConfigURL.PrxySvrRST] Infected: HKLM\SYSTEM\CONTROLSET001\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES| --> [Hijack.AutoConfigURL.PrxySvrRST.PrxySvrRST]